{ "threat_severity" : "Moderate", "public_date" : "2026-01-27T00:00:00Z", "bugzilla" : { "description" : "openssl: OpenSSL: Arbitrary code execution or denial of service through crafted PKCS#12 file", "id" : "2430375", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2430375" }, "cvss3" : { "cvss3_base_score" : "6.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-233", "details" : [ "Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation\nwhich can trigger a stack-based buffer overflow, invalid pointer or NULL\npointer dereference during MAC verification.\nImpact summary: The stack buffer overflow or NULL pointer dereference may\ncause a crash leading to Denial of Service for an application that parses\nuntrusted PKCS#12 files. The buffer overflow may also potentially enable\ncode execution depending on platform mitigations.\nWhen verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2\nsalt and keylength parameters from the file are used without validation.\nIf the value of keylength exceeds the size of the fixed stack buffer used\nfor the derived key (64 bytes), the key derivation will overflow the buffer.\nThe overflow length is attacker-controlled. Also, if the salt parameter is\nnot an OCTET STRING type this can lead to invalid or NULL pointer\ndereference.\nExploiting this issue requires a user or application to process\na maliciously crafted PKCS#12 file. It is uncommon to accept untrusted\nPKCS#12 files in applications as they are usually used to store private\nkeys which are trusted by definition. For this reason the issue was assessed\nas Moderate severity.\nThe FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as\nPKCS#12 processing is outside the OpenSSL FIPS module boundary.\nOpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue.\nOpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do\nnot support PBMAC1 in PKCS#12.", "A flaw was found in OpenSSL. When an application processes a maliciously crafted PKCS#12 file, an attacker can exploit a stack buffer overflow or a NULL pointer dereference. This can lead to a denial of service (DoS) by crashing the application, and in some cases, may enable arbitrary code execution. The vulnerability arises from the lack of validation for PBKDF2 salt and keylength parameters within the PKCS#12 file." ], "statement" : "This vulnerability is rated Moderate for Red Hat. It affects OpenSSL versions 3.6, 3.5, and 3.4, where improper validation of PBMAC1 parameters in PKCS#12 MAC verification can lead to a stack buffer overflow or NULL pointer dereference. Exploitation requires an application to process a maliciously crafted PKCS#12 file, which is uncommon as these files are typically trusted. OpenSSL versions 3.3, 3.0, 1.1.1, and 1.0.2 are not affected as they do not support PBMAC1 in PKCS#12.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1472", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "openssl-1:3.5.1-7.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1496", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "openssl-1:3.2.2-16.el10_0.6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1473", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "openssl-1:3.5.1-7.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-01-28T00:00:00Z", "advisory" : "RHSA-2026:1473", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "openssl-1:3.5.1-7.el9_7" }, { "product_name" : "Cost Management 4", "release_date" : "2026-02-24T00:00:00Z", "advisory" : "RHSA-2026:3228", "cpe" : "cpe:/a:redhat:cost_management:4::el9", "package" : "costmanagement/costmanagement-metrics-rhel9-operator:sha256:1dd05671a8614a4354d9ebf94673f9e1bfd7a38af7052c2a4b9a25264f3ee4e1" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1736", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-server-rhel9:sha256:519d4fe184cebe5152f840e9f609fa4705590656ac9bcace2e2e17622ab7e6a8" }, { "product_name" : "Red Hat Discovery 2", "release_date" : "2026-02-02T00:00:00Z", "advisory" : "RHSA-2026:1736", "cpe" : "cpe:/a:redhat:discovery:2::el9", "package" : "discovery/discovery-ui-rhel9:sha256:26bb49a8e2e695d61192f04eb0db63efa8210bba20ea22b60e4e22d519d8b9e6" }, { "product_name" : "Red Hat Insights proxy 1.5", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2485", "cpe" : "cpe:/a:redhat:insights_proxy:1.5::el9", "package" : "insights-proxy/insights-proxy-container-rhel9:sha256:975a1e501a8520df83f3f4114e72a71384ff1866ec99c7a45fffbf8c76ef5cbc" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-02-11T00:00:00Z", "advisory" : "RHSA-2026:2563", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/installer-rhel9:sha256:48cf7cf48dfadb17f9357bf1894a5d0393551a893faa8b0ea0e11fe1ffed497f" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-03-18T00:00:00Z", "advisory" : "RHSA-2026:4943", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/cds-rhel9:sha256:200c27e9b396276bd505c6b41127ac5eb1d94d620172cb818ae733f2a21ac524" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-03-18T00:00:00Z", "advisory" : "RHSA-2026:4943", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/haproxy-rhel9:sha256:d98fd3fe5f5f9acd0efae7db19b61b864be1eb2fbe2586a1b6be2429fa2cc7a3" }, { "product_name" : "Red Hat Update Infrastructure 5", "release_date" : "2026-03-18T00:00:00Z", "advisory" : "RHSA-2026:4943", "cpe" : "cpe:/a:redhat:rhui:5::el9", "package" : "rhui5/rhua-rhel9:sha256:5f1fbf66fb349a7baf066a1216d39989c3b89f18ec5108b96d9643baf4856778" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "edk2", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "shim", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "shim-unsigned-aarch64", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Fix deferred", "package_name" : "shim-unsigned-x64", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "ovmf", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "compat-openssl10", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "edk2", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "mingw-openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "openssl", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "shim", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "shim-unsigned-x64", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "compat-openssl11", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "edk2", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "shim", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "shim-unsigned-aarch64", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Fix deferred", "package_name" : "shim-unsigned-x64", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Hardened Images 1", "fix_state" : "Under investigation", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:hummingbird:1" }, { "product_name" : "Red Hat JBoss Core Services", "fix_state" : "Fix deferred", "package_name" : "openssl", "cpe" : "cpe:/a:redhat:jboss_core_services:1" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "rhcos", "cpe" : "cpe:/a:redhat:openshift:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-11187\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-11187" ], "name" : "CVE-2025-11187", "mitigation" : { "value" : "To mitigate this issue, avoid processing untrusted PKCS#12 files. Applications should only handle PKCS#12 files from trusted sources, as these files are typically used for storing private keys and are expected to be secure.", "lang" : "en:us" }, "csaw" : false }